tomodwyer
commented
2 months ago Bitwarden have a tool called Secrets Manager which may make some of this management easier.
Open Jongmassey opened 2 months ago
tomodwyer
commented
2 months ago Bitwarden have a tool called Secrets Manager which may make some of this management easier.
Jongmassey
commented
2 months ago Additional context:
Following the revocation of my admin permissions on the opensafely org, I could still create a PAT that nominally had read permissions on the organisation codespaces (which requires admin permissions), but any attempt to use it would give a 403 error.
Nice footgun that I shot myself with
sebbacon
commented
2 months ago Another option to evaluate/consider: https://cloud.google.com/secret-manager/docs/overview
madwort
commented
2 months ago is this a duplicate of https://github.com/ebmdatalab/metrics/issues/67 ? (the upshot of which is - create a machine user & generate a PAT from that?)
Jongmassey
commented
2 months ago I think it is. I didn't have visibility of the previous (quite revealing!) Slack thread as it was a ~ecumenical~ pipeline matter
iaindillingham
commented
2 months ago This issue is related.
StevenMaude
commented
2 months ago Also related to this issue: https://github.com/opensafely-core/interactive-templates/issues/118#issuecomment-1516185538
GitHub's recommendation is to use GitHub Apps, but I don't know how viable that is for these use cases:
If you want to access GitHub resources on behalf of a user or in an organization, or you anticipate a long-lived integration, we recommend building a GitHub App.
StevenMaude
commented
1 month ago For what it's worth, because I mentioned this to Lucy after encountering an expired PAT in the interactive-templates repository, the create-pull-request action has a minimal example of using GitHub App tokens in its documentation.
This does require another action on top to generate the token, and I don't know if this satisfies all use cases here (if we need PATs where applications are running), but it might be worth testing out, at least in the case of using GitHub Actions.
:warning: The documentation links to a third-party action. There is an official action made by GitHub for creating tokens.
While I'm here, Pygithub can manage GitHub App tokens as well.
StevenMaude
commented
1 month ago It would also probably be useful to have a full list of where we're using PATs, if we don't already.
I suspect the most important ones are already listed in the team manual, but I don't think it's exhaustive.
Currently, metrics requires three GitHub PATs across three organisations:
opensafely,opensafely-core, andebmdatalab.There are other bennett projects which require GitHub PATs to work, e.g. job-server.
AIUI the current process is for the developer that is working on a change that adds the need for a PAT to generate the required PAT in their own account (with a long expiry date) and to add it to the right place(s) to make things work in production.
Additional to this, the PATs for
ebmdatalabrequire admin approval.A recent change removed widespread admin permissions from developers and broke this process.
Having these important tokens scattered across potentially multiple developer accounts feels fragile, especially if those accounts are disabled/the owner leaves the Bennett institute.
Should we manage these centrally/generally better?